Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Tout New Network Worm Weapon

samzenpus posted more than 6 years ago | from the network-thumper dept.

Worms 101

coondoggie writes "Can Internet worms be thwarted within minutes of their infection? Researchers at Ohio State University believe they can. The key, researchers found, is for software to monitor the number of scans that machines on a network send out. When a machine starts sending out too many scans — a sign that it has been infected — administrators should take it off line and check it for viruses. In a nutshell, the researchers developed a model that calculated the probability that a virus would spread, depending on the maximum number of scans allowed before a machine was taken off line.'The difficulty was figuring out how many scans were too many,' researchers said."

cancel ×

101 comments

Sorry! There are no comments related to the filter you selected.

Neat (5, Insightful)

Zironic (1112127) | more than 6 years ago | (#23660943)

One of the hardest things to account for when it comes to setting the limit for the number of scans a computer can resonably make must be bittorrent, a computer actively seeding files through bittorrent might connect to hundreds of computers for each file.

I suppose the admin of a corperate network will probably frown on active bittorrent use in general though.

Re:Neat (5, Insightful)

zappepcs (820751) | more than 6 years ago | (#23661227)

It's not the corporate network where this will be problematic. It is TimeWarner and Comcast. Remember the recent story about MediaDefender? Assumptions about scans are just that. As soon as this methodology is implemented, worms will scan much slower. After all, a virus/worm author normally has some time to build the botnet before they want to activate it. Nothing really depends on quick proliferation except damaging worms.

IMO, it is the botnets that do the most damage as a collective thing. Stopping a worm that bricks your machine is not hard LOL, stopping one that bricks other machines is good. Stopping DDoS attacks is even MORE important. It is the attack for hire model of hacking that really sucks bad.

If the botnet owner takes a few months to build the botnet, it is still a botnet. Even better if s/he hides data in video packets or VoIP or IM packets.

The only real way that I can see to stop the damage is to have 99.9999%+ computers in the world running in a sandbox where the perimeter monitors everything that the user software is doing. So, even if the corporate network is functioning like a sandbox (as it already should be) the danger from worms forming botnets is still a threat, this merely lessens the threat of a quickly spreading/created botnet/worm.

Slasdot slashdotted !! ATTN: patar@slashdot.org (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#23661519)

Gotta hate those apache .htaccess errors, patar@slashdot.org

Re:Neat (1)

Yath (6378) | more than 6 years ago | (#23663247)

Can we stop using the term "brick" in reference to something that merely makes a system unbootable?

Merely? M E R E L Y ???? (1, Interesting)

Anonymous Coward | more than 6 years ago | (#23663741)

I'm betting that you have never been in a hurry but had to buy a new copy of Windows to replace the OEM version that just was FUBAR by a virus or malicious piece of software, or perhaps even by a malignant end user who knows far too much about the delete command and far too little about the windows and system directories.

Unbootable does NOT even begin to describe what you have on your hands. Brick, on the other hand, gets kind of close and conveys the proper frame of mind when you have experienced that kind of frustration. I believe that those who advocate the changing and fluid nature of a language would approve of that use of the word as confined to the electronics realm.

It becomes an even more appropriate usage when you consider that most consumer electronics products are or are very close to throw-away status. That is to say that once they malfunction permanently, it is cheaper to replace them with new units than to have them repaired. This leaves you with something that is about the same use to the average person in their home or office as a brick, Acme or otherwise.

You personally are welcome to not use the word in that context. The rest of us, meh... fsck it, it works for me.

Re:Merely? M E R E L Y ???? (2, Informative)

Anonymous Coward | more than 6 years ago | (#23663955)

"Brick" means not revivable except possibly with special equipment that nobody has (an eprom programmer for example). What you describe is nowhere near that, it is only a temporary inconvenience.

Re:Merely? M E R E L Y ???? (1)

Bryansix (761547) | more than 6 years ago | (#23670705)

No Brick is like when the virus ups the voltage on the motherboard and literally ignites the processor on fire. THAT is a brick. It's not coming back and would better serve as a building material then a computer.

Re:Merely? M E R E L Y ???? (4, Insightful)

Yetihehe (971185) | more than 6 years ago | (#23664515)

And this is the way "hacker" word lost its meaning.

I, for one, love this "brick" terminology (1)

Christophotron (812632) | more than 6 years ago | (#23664917)

I love it when stupid people believe their hardware is "bricked" and throw it away. It really sucks for the environment, though; I can't get to every old PC before it ends up in the local landfill. It *is* a serious problem, but that doesn't mean I can't benefit from it occasionally. It's a guilty pleasure.

I scour the local dumpsters for computers (college dorm room dumpsters on move-out day are a freakin' gold mine), reinstall the OS, and do some good with them. Or just fix them and sell them back to the idiots who threw them away in the first place. LMAO.

Anti-DDoS TCP/IP additions? (3, Insightful)

Mathinker (909784) | more than 6 years ago | (#23664115)

> Stopping DDoS attacks is even MORE important.

What if a "you're DoS-ing me" reply packet was added to TCP/IP, which could be picked up at the ISP level and would (ideally) cause the ISP to throttle that user's bandwidth to the site in question for a short period of time?

The problem with this kind of hacked-on solution is that it often causes other vulnerabilities --- in this case, what if the botnet was set up to spread faked "you're DoS-ing me" packets? One could hope that ISPs would filter such outgoing packets (from their home users), but given the general lack of cooperation of the ISPs against network hacking (or has this changed? Have any ISPs finally implemented egress filters for packets with faked headers nowadays?) I wouldn't hold my breath...

Re:Anti-DDoS TCP/IP additions? (1)

MagicM (85041) | more than 6 years ago | (#23668537)

Something like this? ICMP Source Quench [wikipedia.org]

Re:Anti-DDoS TCP/IP additions? (1)

Mathinker (909784) | more than 6 years ago | (#23673953)

Thanks for the info!

Yes, something like that, but designed for malicious overloading. But as I said, it would have to be enforced at the hardware modem level or the ISP level for it to be effective. Along with similar measures against packets with forged headers (so the replies actually return to the abuser).

Maybe someday!

Re:Neat (2, Interesting)

deroby (568773) | more than 6 years ago | (#23665203)

In theory, worms simply don't have 'months' to spread, because, in theory, a vulnerability is detected and fixed within a short time-span, hence, the worm needs to abuse it as much as possible in the shortest time possible, right !?

In practice off course :
* there are vulnerabilities that nobody (except the abuser) knows about and hence 'spreading slowly' is fine too
* exploits are only created AFTER they have been identified (see "script kiddies") and rely upon people that are too uneducated/lazy/slow/dumb/paranoid/... to keep there system (more or less) secure, so again, 'spreading slowly' is fine again... the target audience will be smaller, but is still there.

So yes, it think it WILL help to have this kind of system in place (**), but indeed it sounds like it will simply be a matter of 'knowing the magic value' and making sure once's worm stays right below that threshold.

FTA : "An infected machine would reach this value very quickly, while a regular machine would not," Shroff explained. "A worm has to hit so many IP addresses so quickly in order to survive."

The main question here is IMHO : what do they mean with SCANS ? Are those (failed) connections that do not get ACK's back ? I'm pretty sure most P2P traffic would be able to cause false alerts, and although the network admin wouldn't be too happy to have bittorrent or emule on a machine (different from his own =), I can tell you that eg Skype can't be missed anymore where I work.

** remember MS already did something similar when SQL SLAMMER hit IIRC, and look where that got us : major cry-out that MS limited the number of new outward connections per second.

Re:Neat (1)

redxxx (1194349) | more than 6 years ago | (#23668163)

The main question here is IMHO : what do they mean with SCANS ? Are those (failed) connections that do not get ACK's back ? I'm pretty sure most P2P traffic would be able to cause false alerts, and although the network admin wouldn't be too happy to have bittorrent or emule on a machine (different from his own =), I can tell you that eg Skype can't be missed anymore where I work.
This runs over a network right? Between ARP poisoning, MAC address spoofing, and promiscuous tcp/ip, wouldn't it be pretty easy to obfuscate which computer is doing the scanning? They can just dump whatever packets they want onto the network, and see the responses.

It would still show that some computer on the network is being naughty, but is should be easy to hide which computer it actually is.

Not that it won't help somewhat, but it's just another step in the arms race.

That word brick... (1)

Joce640k (829181) | more than 6 years ago | (#23665621)

I don't think it means what you think it means.

Re:Neat (1, Funny)

Vectronic (1221470) | more than 6 years ago | (#23661267)

Although, this may work for a University/College, or business network (to a signifigant degree at least) where someone can physically go to the computer and check it out, or at least momentarily take it offline and tell it to scan/scan it...

But, I dont see how this would work (such as you mentioned BitTorrent, et al) for the 'public' unless ISP's starting DoS-ing their customers, or sending them direct messages...

Suspicious Amount Of Traffic Detected, Disconnect From Internet?
(Cancel) (Allow)

Which would mean more crap running in the background, or another expoitable access point, similar to "Messenger Service" on Windows... Oh great fun.

Re:Neat (5, Interesting)

moderatorrater (1095745) | more than 6 years ago | (#23661483)

They were looking at 10,000 scans, which would be about how much I would expect my constantly-on bittorrent to do over the course of a week or more. I don't think it'll be a problem at that threshold.

At lower thresholds (which they'll surely need since worms and viruses will just start scanning more slowly), they can start analyzing patterns and individual packets. This won't solve the problem overnight, but it will eliminate virtually all worms and viruses in the wild right now and make future worms and viruses propagate much more slowly.

If I am in a position of authority over a network, (2, Funny)

patio11 (857072) | more than 6 years ago | (#23663201)

...blocking Bittorrent isn't a bug, it is a feature.

Re:If I am in a position of authority over a netwo (1)

Stewie241 (1035724) | more than 6 years ago | (#23671577)

Don't know if you were joking or not (you were modded funny), but I wish I could easily block bittorrent traffic with my netgear router, or at least throttle it. I share my connection with tenants in our house, and it would be great to be able to limit their bandwidth rather than telling them not to use bittorrent.

Re:Neat (1)

Redwin (805980) | more than 6 years ago | (#23666425)

I can't access the paper to check, but I think it is the same paper I read when it first came out in 2005 (search scholar.google.com for "Collaborative Internet worm containment"). They gave a possible fix for p2p traffic at least by examining the number of unique connections made over a long period of time (say 1 month). If 10,000 unique connections were made within the course of the one month time frame the threshold would be breached. If I remember correctly they found out that the average user who uses filesharing programs for most of the time still only makes about 4000 UNIQUE connections over a one month period. A worm on the other hand would reach that limit within seconds identifying itself even over a program that normally makes a lot of connections.

I think they also note that this only works for fast worms and not stealth ones that take their time to propagate.

Still, it is an interesting idea and one that I made a few references to in my research at the time!

Well? (2, Insightful)

Anonymous Coward | more than 6 years ago | (#23660953)

Can useless messages be moderated within minutes of their posting?

Re:Well? (0, Troll)

ATMD (986401) | more than 6 years ago | (#23662411)

Sure. You set up a system to detect increased levels of slashdotting, which indicates that people have given up looking at imbecilic comments like this one and actually gone to RTFA.

Re:Well? (2, Funny)

ELProphet (909179) | more than 6 years ago | (#23663719)

They could, if I didn't just waste my mod points by commenting in a thread I just modded... crap!

not going to work (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23661023)

sorry dude, but it's just not goign to work, try again.

Isn't this already available... (0)

Anonymous Coward | more than 6 years ago | (#23661029)

Doesn't D-Link already supply this with UTM/NetDefence.

iPhones (2, Interesting)

Enderandrew (866215) | more than 6 years ago | (#23661041)

Don't iPhones send out an insane number of scans per minute? Isn't that why Duke University banned them from their network, and how that couple had a $3,000 data charge bill from taking their iPhone on a cruise, even though they didn't use it?

Re:iPhones (2, Informative)

tlhIngan (30335) | more than 6 years ago | (#23663751)

Don't iPhones send out an insane number of scans per minute? Isn't that why Duke University banned them from their network, and how that couple had a $3,000 data charge bill from taking their iPhone on a cruise, even though they didn't use it?


Not really.

The reason Duke had to ban them was because the way they did their WiFi somehow clashed with the way Duke's WiFi network was set up. The end result was that a small concentration of iPhones managed to actually take down the WiFi network by consuming inordinate amounts of CPU time on the WiFi processors. This was confined to that one network - everywhere else, even those using the same WiFi accesspoints, worked just fine. It was an oddball configuration issue.

As for the $3000 phone bill, it is true. But it's not because of the scans - it's because the person was roaming, and data roaming is pricey. You can configure the iPhone to poll a mail server every so often (regular POP or IMAP). Guess what? Checking POP or IMAP takes bytes, and bytes are pricey (easily 5 cents per 1000 bytes or less - some providers count every byte sent over the air including all headers and trailers, and not just raw IP packets). This was resolved in a 1.1 firmware update which has the option to disable data roaming (the iPhone will not make an EDGE connection if it detects it's roaming - it won't even make a standby connection).

Don't Worry! (-1, Troll)

kcbanner (929309) | more than 6 years ago | (#23661045)

I can explain how this works with a simple cat analogy!

Re:Don't Worry! (1)

superdave80 (1226592) | more than 6 years ago | (#23661119)

Sorry, you must be new here. Car analogies are the only acceptable analogy on /.

Re:Don't Worry! (1)

kcbanner (929309) | more than 6 years ago | (#23661159)

But my UID Yours

Re:Don't Worry! (0)

Anonymous Coward | more than 6 years ago | (#23661129)

Like putting too much air in a balloon!

Re:Don't Worry! (1)

Dachannien (617929) | more than 6 years ago | (#23661459)

I can explain how this works with a simple cat analogy!
You mean.... like this? [icanhascheezburger.com]

SOP - Standard operating procedure (4, Funny)

bernywork (57298) | more than 6 years ago | (#23661051)

Network admins quite often scan large amount of network space especially for vulnerabilities, I know, I do it every day. Device discovery on networks for monitoring, IP address management, the list goes on.

There is the alternative though...

http://xkcd.com/416/ [xkcd.com]

Re:SOP - Standard operating procedure (1)

cp.tar (871488) | more than 6 years ago | (#23664625)

Hey, if Vigor was coded after appearing in UF, I don't see why this couldn't be done...

Something like that is already in use (0)

Anonymous Coward | more than 6 years ago | (#23661101)

The network operations center at the RWTH-Aachen university in Germany automatically warns users when an infection of their computer is detected and after a short while, if the user does not remove the infection, takes the computer offline. They call the system "Blast-o-Mat", which hints at the cause of its inception. You can see the statistics here: http://www1.rz.rwth-aachen.de/kommunikation/betrieb/auto/status/blast-o-mat.php [rwth-aachen.de]

Re:Something like that is already in use (1, Informative)

Anonymous Coward | more than 6 years ago | (#23661233)

There is an article [usenix.org] about the Blast-o-Mat in the December 2006 issue of the USENIX magazine. [usenix.org]

IDS (3, Insightful)

imunfair (877689) | more than 6 years ago | (#23661123)

Isn't the described method basically a slight variation on the whole IDS scheme? Establish a baseline and compare to it...? For some reason they don't seem to have thought of the baseline part yet though - apparently they didn't do their research well. Granted I think the baseline is usually bandwidth usage or something of that sort, but this is basically the same thing.

Re:IDS (2, Interesting)

ShakaUVM (157947) | more than 6 years ago | (#23661209)

Yeah, just watching the number of scans a computer makes isn't worm detection, per se, but more of intrusion detection, as you say.

It will incidentally also allow network admins to automatically shut down bittorrent, so it should be quite popular.

Re:IDS (1)

TubeSteak (669689) | more than 6 years ago | (#23662797)

Establish a baseline and compare to it...? For some reason they don't seem to have thought of the baseline part yet though - apparently they didn't do their research well.
Huh? Did you RTFA?

Their baseline is 10,000 connections a month.
Anything over that gets flagged.

I guess 10,000 connection per month is a lot for a corporate environment.
Obviously that number would need to be tweaked depending on the company, but 10k is their baseline.

Or does baseline mean something other than what I think it means?

And now that... (4, Interesting)

Ai Olor-Wile (997427) | more than 6 years ago | (#23661161)

...it has been posted on the front page of Slashdot, every future worm author will code their stuff to spread more slowly, so that the increase in scan rate is negligible. Hooray for self-obsoleting discoveries!

(Don't get me wrong, I'm a huge proponent of publicly posting computer security information. But this seems pretty easy to circumvent when considered, no?)

Re:And now that... (4, Insightful)

quercus.aeternam (1174283) | more than 6 years ago | (#23661273)

If the worms are coded to spread more slowly, it will decrease the rate of propogation, making it more difficult for the worms to survive.

If they don't alter their code, worms will have a much harder time surviving on networks that take advantage of this discovery.

The net effect is positive.

Re:And now that... (2, Insightful)

Goaway (82658) | more than 6 years ago | (#23662415)

Actually, worms are already spreading slower in order to survive longer. Even without a system like this, a worm that spreads fast gathers much more attention than one that spreads slow.

Re:And now that... (0)

Anonymous Coward | more than 6 years ago | (#23662543)

But the slower a worm propagates the more time there is for AV vendors to release new heuristics to stop it and any software being exploited to patch holes.

Re:And now that... (3, Funny)

Goaway (82658) | more than 6 years ago | (#23662669)

Yeah, that has worked great so far, hasn't it?

Re:And now that... (1)

cp.tar (871488) | more than 6 years ago | (#23664641)

The slower the worm propagates and the less it does in any noticeable manner, the lesser the chance it will be discovered by any means.

The paper (3, Informative)

textstring (924171) | more than 6 years ago | (#23661197)

Here's the pdf http://www.ece.osu.edu/~shroff/journal/worm.pdf [osu.edu] . Seems like if these countermeasures were put in place, viruses would have to be choosy about which hosts they scan instead of just scanning tons of random addresses if they wanted to propagate.

This is trivially defeated (4, Insightful)

Arrogant-Bastard (141720) | more than 6 years ago | (#23661241)

Sufficiently intelligent worms can use passive OS fingerprinting to identify hosts likely to be susceptible to infection (as they make their presence known) and then make a single attempt per host (which will, obviously, succeed or fail), keeping track of such attempts so as to avoid duplicates. Alternatively, worms could use a passive approach and not attempt to propagate at all except in response to traffic from other hosts -- that is, piggybacking themselves on the responses to ordinary traffic, say, HTTP requests, or Torrent requests, or IM requests. While use of such approaches might slow the propagation of a worm in a local sense, they won't slow down network-wide propagation appreciably if initial seeding is done in sufficient numbers and with sufficient network diversity.

Re:This is trivially defeated (1)

Bryansix (761547) | more than 6 years ago | (#23670823)

While using passive identifying techniques means it won't need to scan it will still have to attack. You can keep track of the number of attacks a specific computer makes by looking at the promiscuous traffic coming off of the first hop. Of course that's a lot of data to parse.

Seriously Useless (2, Funny)

Anonymous Coward | more than 6 years ago | (#23661253)

Seriously, let's see how this will work.

sysadmin: $max_scans_allowed = 10;
worm: sh1t! $max_scans_allowed = 10;
sysadmin: sh1t! $max_scans_allowed = 9;
worm: sh1t! $max_scans_allowed = 9;
sysadmin: sh1t! $max_scans_allowed = 8;
worm: sh1t! $max_scans_allowed = 8;
sysadmin: sh1t! $max_scans_allowed = 7;
worm: sh1t! $max_scans_allowed = 7;
sysadmin: sh1t! $max_scans_allowed = 6;
worm: sh1t! $max_scans_allowed = 6;
sysadmin: sh1t! $max_scans_allowed = 5;
worm: sh1t! $max_scans_allowed = 5;
sysadmin: sh1t! $max_scans_allowed = 4;
worm: sh1t! $max_scans_allowed = 4;
sysadmin: sh1t! $max_scans_allowed = 3;
worm: sh1t! $max_scans_allowed = 3;
sysadmin: sh1t! $max_scans_allowed = 2;
worm: sh1t! $max_scans_allowed = 2;
sysadmin: sh1t! $max_scans_allowed = 1;
worm: sh1t! $max_scans_allowed = 1;
sysadmin: sh1t! $max_scans_allowed = 0;

Unplug the internet, no communications allowed.

Re:Seriously Useless (1)

brentonboy (1067468) | more than 6 years ago | (#23661669)

I'm looking all over the internet for what sh1t! means... or is it pure and simple just an obfuscated 4 letter word? If so, can someone explain this post to me? I don't get it.

Re:Seriously Useless (3, Funny)

Anonymous Coward | more than 6 years ago | (#23662743)

sh1t! is programing slang for 100100001

Easy to circumvent. (3, Insightful)

thePowerOfGrayskull (905905) | more than 6 years ago | (#23661291)

The easy way around this is to just slow down the rate of the scans and the type/quantity of scanning done at any one type. Whether it takes hours or weeks, time is not critical when you have millions of PCs at your disposal.

Re:Easy to circumvent. (1, Interesting)

Anonymous Coward | more than 6 years ago | (#23661493)

Although this does mean we've effectively reduced the size of the botnet by a (possibly quite large) constant factor. It would be a greater effect if machines were patched faster.

Re:Easy to circumvent. (1)

thePowerOfGrayskull (905905) | more than 6 years ago | (#23661885)

Hm - kind of. An argument could be made that it would slow the spread of the botnet. And it is probably a safe bet that if the machines can get infected in the first place (unless it's a brand new exploit), there won't be patch updates/installs forthcoming from those particular users...

Re:Easy to circumvent. (3, Informative)

hedwards (940851) | more than 6 years ago | (#23662697)

This has been brought up before. Basically, slowing down a worm allows for more time to create and disseminate a patch for the vulnerability. The idea was that when a virus is detected to throttle down on the bandwidth allocated to the computer and perhaps limit it to just specific securty sites for patching as well.

Basically dry up the resources available to the worm and make it as unprofitable as possible to run a botnet in that fashion.

Or in a more cost effective way, just throttle everybody's connection when there's a major outbreak while people get patched. Force the worms and viruses into a much smaller pool. Realistically when some of the larger worms have hit, the bandwidth ends up going mostly to the worms anyways, why not deny the resource to the worm.

Re:Easy to circumvent. (1)

thePowerOfGrayskull (905905) | more than 6 years ago | (#23663961)

But the point is if it was slowed down by design that wouldn't work - because it would remain undetected. That might have other repercussions as well: major outbreaks would not have immediately visible symptoms (such as flooding probes), and so may actually be harder to detect.

Undeployable (3, Insightful)

gweihir (88907) | more than 6 years ago | (#23661357)

Anything that requires changes in most or all sub-networks is garantueed to fail. Just look at egress-filtering. Many network admins are still unable or unwilling to do it. And these people expect them to implement a worm detector in every subnet? Forget it.

BTW, the idea is not new: "A Fast Worm Scan Detection Tool for VPN Congestion Avoidance" in Proceedings of DIMVA 2005 uses the same idea, but in a context where it is actually implementable and useful. Online under http://www.tik.ee.ethz.ch/~ddosvax/publications/papers/dimva06scan.pdf [ee.ethz.ch] .

WOW (0)

Anonymous Coward | more than 6 years ago | (#23661455)

What a way to take down BitTorrent users!

The. (0)

Anonymous Coward | more than 6 years ago | (#23661517)

I believe the poster meant The Ohio State University.

I didn't realize this was news 2 years ago... (4, Insightful)

jafo (11982) | more than 6 years ago | (#23661531)

I've been running the following iptables rules on our routers for at least the last year or two:

iptables -A ssh_attack -m hashlimit --hashlimit 200/min --hashlimit-mode srcip --hashlimit-name ssh_attack --hashlimit-htable-size 599 --hashlimit-htable-max 4096 -j RETURN

iptables -A ssh_attack -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "SSH-Attack:"

iptables -I FORWARD -o eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ssh_attack

In other words, for each internal host allow them to make 200 outbound SSH connections per minute (tracked individually). If they exceed that limit, log a message.

We then have a nagios plugin that checks for this message being in "dmesg". If it is, we get paged.

We watch the sites we host pretty closely, so we don't often run into them getting compromised. The last one was because a host admin re-enabled password logins in SSH *AND* set up a guest account with a password like "guest". Only the guest account was compromised, but I digress.

The thing is that people who compromise these hosts pretty much always use that host to scan for other hosts to attack. And looking for weak passwords on other hosts via SSH seems to be pretty common.

So, once we saw this it was a no-brainer to set up something to alert us when someone started doing it.

Sean

Re:I didn't realize this was news 2 years ago... (1)

Alpha830RulZ (939527) | more than 6 years ago | (#23664175)

You are smart. You will make our people strong.

Re:I didn't realize this was news 2 years ago... (0)

Anonymous Coward | more than 6 years ago | (#23665007)

We use a similar technique in a firewall we sell - If a particular computer does more than X,000 outbound connections in the space of 10 minutes, we consider it to be spammy (worm, email spammer, etc...) and simply drop all future traffic for that host until an end user explicitly lifts the ban.

It does pick up bittorrent traffic too, if the client is too aggressive, so also helps keep your WAN bandwidth from being swamped by torrents.

Re:I didn't realize this was news 2 years ago... (1)

gweihir (88907) | more than 6 years ago | (#23665577)

And I did not claim the idea was new two years ago. Pointing out work that used it two years ago just demonstrates that it is not new now.

I used to do this maually (1)

Craptastic Weasel (770572) | more than 6 years ago | (#23661685)

I used to work as the admin for a small wireless ISP company seven years ago. The equipment they used was easily broken by an infected machine (I think sasser was the big one back then), as the radios packet per second limit was very low compared to other last mile solutions.

To thwart attacks and keep the network working, I would have ntop running at the gateway looking for lots of SYN with no ACK, a usual sign of an infected machine. I would have to kick them off at the node and then politely call them and ask them to have the infection fixed... Once or twice I had to do it myself. :0

This was a very small company. The original planners set up a whole network on extremely flat land, with an 80 foot tree line and plenty of trees. It was tough enough getting enough customers on each node to justify the costs..

Good times.

Move to MacOS -- worms are obsolete here (2, Interesting)

Anonymous Coward | more than 6 years ago | (#23661709)

Like Windows made MS-DOS viruses something to be mentioned in the past, I don't get why people just stop making slapdash hacks, and move to a platform that is 100% immune to this type of malicious software. MacOS has had -zero- remote rootings in the wild in its whole history. Even the vaunted OpenBSD has had three remote holes on its record.

I say leave the worm finding to the Windows and Linux people who are vulnerable to this stuff, and we Mac people can just point and snicker, because a worm or a botnet "client" is just plain impossible to implement on MacOS.

Re:Move to MacOS -- worms are obsolete here (0)

Anonymous Coward | more than 6 years ago | (#23663335)

MacOS X isnt 100% immune to this type of malicious software. I am sure there is an buffer overflow vulernability in some basic MacOS X service deamon that can be exploited. But because MacOS X isnt as widespread as Windows XP bot and worm writers havent deemed it cost effective to find such vulernability.

And one can still e-mail you virus and trick you to run it. Google "ambient authority" and you see why that is possible.

Re:Move to MacOS -- worms are obsolete here (4, Interesting)

thejynxed (831517) | more than 6 years ago | (#23663435)

Erm, actually, OSX has been found to be vulnerable to TONS of things, why else the 30 and 40 patch packs released all at once :)

Remote vulnerabilities such as this: http://www.securityfocus.com/bid/29514 [securityfocus.com] would say well, maybe MacOSX IS vulnerable to such types of malware (they only need to cause buffer overflows or exploit remote code vulnerabilities and you can get nailed just like any other OS that is coded by humans).

The question is: Are Macs with their puny marketshare, worth the bother of hacking?

Answer: Some people/groups are starting to show interest in this, yes. But on the whole, no, they aren't worth the bother. Mainly this interest has grown since Apple swapped over to x86 architecture. I find that interesting.

I think the bigger thing to sit and think about is this: No software written, and no hardware designed by humans will ever be perfect. There will always be a weakness somewhere in the system. Deal with it the best you can, like everyone else, and stop spouting stupid nonsense about an invulnerable OS.

This is not news (0)

Anonymous Coward | more than 6 years ago | (#23661787)

Of course, this works only if the host doing the scanning doesn't become infected. I don't see how to gurantee this, although of course one can reduce the probability that the scanning host won't become infected by locking it down to a much higher degree than ordinary hosts that need to be flexible to mee the needs of their users.

At the end of the day, this is nothing more than network intrusion detection, employing an incredibly simple anomaly detection algorithm. Surely this isn't news?

Researchers keep getting smarter and smarter (-1, Redundant)

Anonymous Coward | more than 6 years ago | (#23661913)

There really is no need to waste ones time with TFA on a topic full of such sanguine goofyness. In the future if you feel compelled to write a paper to pass a class or get attention please do it in a way that hard up for new slashdot material authors can't find. Thanking you in advance. AC

Worm Weapon... (1)

DRobson (835318) | more than 6 years ago | (#23662063)

Maybe it's because I haven't had my coffee, but after reading the headline as 'Researchers Tout New Worm Weapon' the only thing I could think of was, 'Holy crap, System Shock is for real...'

2003 called.... (0)

Anonymous Coward | more than 6 years ago | (#23662135)

they want their network problems back

As a network admin... (4, Interesting)

rAiNsT0rm (877553) | more than 6 years ago | (#23662607)

I've been a network specialist/admin for a few companies including banks and a univeristy, and my personal idea/solution is a quasi-vlan system where each workstation is unable to talk directly to other workstations within the same LAN/Campus. Think about it, allow workstations to talk to servers and necessary resources but not directly to each other.

There is no need anymore. People need to connect to the Internet and file servers, etc. Rarely if ever is it actually necessary or preferable to have people connect to each other. The servers *should* be the best updated and protected systems and much easier to trust than Joe Sixpacks PC.

You stop worms from impacting you locally, and at worst your Internet pipe gets congested by a big outbreak which can be easier traced and combated when you aren't also fighting a spreading fire.

Re:As a network admin... (1, Interesting)

Anonymous Coward | more than 6 years ago | (#23663517)

Yeah, thats a fantastic approach, block computers from connecting to each other. Who wants a functional network anyway?

"What, you want your computers to be able to connect to each other via the network? Really? Let me guess, you also want printers that print too?"

Re:As a network admin... (4, Informative)

Gnavpot (708731) | more than 6 years ago | (#23665383)

Yeah, thats a fantastic approach, block computers from connecting to each other. Who wants a functional network anyway?

The GP explained his point in an easily understandable way. I don't know how you failed to understand it. Anyway, here it comes again in slow motion for your benefit:

In most corporate networks, clients need to connect to servers. They do not need to connect to other clients.

If you block clients' ability to connect to other clients, no functionality is lost, but infected clients can not attack other clients directly.

(I know that some companies uses IM internally, but there is nothing forcing IM solutions to be P2P.)

Re:As a network admin... (0)

Anonymous Coward | more than 6 years ago | (#23668643)

How's that work with e.g. NetMeeting, or other t.120/h.323 applications? Block all p2p and install a bunch of "gate keeper"s? Similar functionality, more lag, more capital investment, more upkeep... Management will love it.

Re:As a network admin... (1)

Bryansix (761547) | more than 6 years ago | (#23670905)

Wha? How else am I supposed to connect the the administrative share of people's desktops and drop pictures on them?

Re:As a network admin... (1)

Corbets (169101) | more than 6 years ago | (#23663815)

That's not quite as simple as you make it out to be. Ok, assuming a corporate network, you don't have to worry about as many peer-to-peer connections (such as bit torrent), but I can still think of a number of situations when workstations need to be able to chat with each other. Instant messengers, impromptu document sharing when there isn't an "official" share set up that both parties have access to, VoIP applications and teleconferencing solutions, and so forth.

You could design your network from the ground up so that every possible communication happens through an appropriately configured server, but that's just not realistic in most corporations.

Re:As a network admin... (1)

rAiNsT0rm (877553) | more than 6 years ago | (#23666763)

I disagree completely. IM uses a central server. "Impromptu document sharing" is exactly the type of thing that this stops, which is dangerous and circumvents a number of safeguards. Macro viruses, viruses, scattered documents which aren't properly backed up, lost due to a system crash, misplaced, inaccessible once an employee leaves, etc. VOIP and teleconferencing can be handled via QoS or a central server.

It isn't hard. I have actually implemented this idea in labs and test case scenarios/labs and each and every time it amazes people and works perfectly with almost NO interruptions as the knee-jerk reaction is.

Re:As a network admin... (1)

Hatta (162192) | more than 6 years ago | (#23668307)

Of course they're going to tell you that. You're the BOFH, and if they complain, you'll just give them something to really complain about.

Re:As a network admin... (1)

rAiNsT0rm (877553) | more than 6 years ago | (#23668745)

I think the real problem you have is that you are a researcher who has an interest or even a proficiency for computers and THINK that should make you GOD of your own little domain. If you want to be an expert researcher, research and defer the technology side to the experts in their field. If you want to be IT, then leave the research and complete the proper education/certifications and be an expert in IT.

I run into this daily, you are no special case, and again your ignorance shines through. I'm no BOFH, everywhere I've worked I have been liked very well because I am NOT a BOFH. I am secure and well educated and skilled so I don;t need to be defensive or angry or any other hallmarks of an incompetent IT worker.

Re:As a network admin... (1)

Hatta (162192) | more than 6 years ago | (#23669617)

Except that IT has little to no interest in supporting what I as a researcher need to do. They want to implement one size fits all solutions with crappy proprietary technology. I couldn't even get them to set up my gel documentation machine to mount our departments share automatically. As a result, people save their work on that machine and not the network drive. Fortunately, they don't care what I do as long as it doesn't create any extra work for them. So I just installed cygwin SSH and rsync everything daily. They didn't want to run my database app, so I just installed it on a LAMP stack and blocked everyone but the 5 computers in the lab. They don't know or care what I do, so long as it doesn't make any more work for them.

So I guess you may be right, we just don't have a supportive IT atmosphere here. If IT is willing and able to support all the odd things researchers are likely to try to do, then it would probably work ok. That's not been my experience however. They're more interested in keeping their budget low than facilitating research.

Re:As a network admin... (1)

rAiNsT0rm (877553) | more than 6 years ago | (#23671419)

Fair enough. The problem is that while you think (or even if you did) properly block that box to say 5 people, more than likely you didn't. You are a busy man with more important things to do than worry about and keep up with the latest patches, updates, and security holes. You probably don't understand vulnerabilities and security to the extent a properly trained/educated IT guy does. So what you THINK is us being one-size fits could be us being understaffed and underfunded and unable to support a bunch of one-off boxes.

I actually love nothing more than facilitating and helping researchers do cool shit, I enjoy that... however many people just want to punch a clock and make things easy and homogeneous. As with anything it is both sides to blame and my idea only illustrates this and shows how my solution benefits everyone if indirectly.

Re:As a network admin... (1)

Hatta (162192) | more than 6 years ago | (#23668237)

Um, right. So when I'm out of the office for a meeting, I shouldn't be able to ssh into my desktop computer to grab some data I forgot to put on my laptop? Or if I need to host a wiki for the lab, I'm going to have to fight with IT instead of just installing a LAMP stack on a spare box and plugging it in? Or what about hosting our lab's database of plasmids, oligos, and cell lines? Or hell, even just retrieving data from various computers hooked up to instruments, our gel imager, phosphoimager, microscopes, etc.

Your plan might work for a bank, where everything needs to be locked down. It would never work for any sort of research institution.

Re:As a network admin... (1)

rAiNsT0rm (877553) | more than 6 years ago | (#23668629)

Umm, right. So all of your arguments fall flat. If you are out of the office you would be connecting one of two ways: VPN or SSH via the Internet, which BOTH would work and are secure. You can't be on Suzy's computer in Accounting though and SSH to yours which is for the better.

Exactly right, YOU CAN'T host a wiki or create an unauthorized server by "just installing LAMP" this is part of the problem. I'm sure you are an expert in each letter of LAMP which would qualify you to do that. "Fighting with IT" is a problem in your corporate/univeristy structure or a problem with the quality of your IT.

Again, why should a whole LABs info be served up from your personal workstation? Tell me again how this is safe, secure, properly backed up, and proper.

A computer hooked to machinery should be treated and protected as a server and yes you would be able to attach to it.

FYI, I *worked* for banks and high security companies, I currently run a University network where I have researchers, machinery with computers attached, labs, etc.

Valid points, but not all banks operate your way (0)

Anonymous Coward | more than 6 years ago | (#23671319)

I've personally witnessed some pretty flaky setups in other places, including banks. Chase used to do file transfers to Bank One via freaking HYPERTERMINAL on one IT guy's laptop. They later "improved" it by moving the same process to a PC in the data center, but still dialing externally on the same 56k modem using the same insecure Hyperterminal. All this workaround was done because Bank One no longer accepted the IP address of Chase's new mainframe.

Safe to say, not all banks have competent admins. I won't even start on a certain financial company whose credit union PC was compromised from a night worker internally who used it to surf the web, to get outside the company's overly restrictive firewall.

Vpro (0)

Anonymous Coward | more than 6 years ago | (#23662803)

Vpro (aka AMT) can do this with built in hueristics and even put the port with Cisco equiptment in the mix into a remediation vlan segmented from your prod network. Or shut it down boot to network ISO av disk and perform pre os scan of hard drive. This will even work with the newest safeboot harddrive encryption.

Caterpillars (1)

pigiron (104729) | more than 6 years ago | (#23663195)

...are not worms.

Ironic? (0)

Anonymous Coward | more than 6 years ago | (#23663561)

So these researchers design a way to help stop fast spreading network killing worms by giving anyone who knows how to spoof an IP address the option to shut off hosts at will?

Worms are not pretty (1)

ASMworkz (1302279) | more than 6 years ago | (#23663789)

Worms are ugly, but they are not that smart so it won't take long to stop them most likely.

Blinking Lights (2, Funny)

Joebert (946227) | more than 6 years ago | (#23664477)

What's wrong with looking at the router lights blinking when the system shouldn't be doing anything and saying "Heeey, that's not right !" ?

Hardly news - already running at a uni for 5 years (1)

Boetsj (1247700) | more than 6 years ago | (#23665613)

A system called Quarantainenet attempting to do the same detection and isolation has been up and running for 5+ years at the University of Twente [utwente.nl] in the Netherlands. It's even evolved into a separate company [quarantainenet.com] , which appears to cover several more universities and ISP's in the Netherlands with the system.

How about pre-emptive defence? (1)

Fri13 (963421) | more than 6 years ago | (#23665841)

Why to spend money to treat effects when you could prevent cause in first place using SELinux or AppArmor (those kind technics are for Windows too)?

About 3-5 years late (0)

Anonymous Coward | more than 6 years ago | (#23665895)

Sorrowfully worms have long gone out of fashion. Today it is trojans, backdoors and rootkits, which do not spread, but are being spread by spammers, ad-ware and massive automated drive-by download hack attacks. The researchers' method is often useless against these current threats.

Here's a better idea (1)

AmiMoJo (196126) | more than 6 years ago | (#23666141)

If a machine gets infected by a worm, the anti-virus software must have failed to detect that worm. So, you get a report warning you about a particular machine, run a virus scan and find nothing. Now what?

What you need to do is have the software running on the PC itself, so that it can monitor what task is actually running the scans so a human can check it.

This will be news to Forescout. (1)

No-Cool-Nickname (1287972) | more than 6 years ago | (#23666193)

We purchased a Forescout appliance 2 years ago which does the exact same thing. I wonder if the OSU research was reading http://www.forescout.com/counteract/index.html [forescout.com] As an OSU Alum, I am embarrassed by this tripe.

windows xp SP2 (0)

Anonymous Coward | more than 6 years ago | (#23667105)

oh yeah we all know how restricting number of halfopen connections in SP2 worked great /sarcasm

Old News (1)

blendedmetaphor (898386) | more than 6 years ago | (#23667989)

We have been doing this kind of analysis and mitigation since the days of blaster. Nothing new, but yes, it does work quite effectively for rapidly spread worms.

Still vexed by by SEC offense... (1)

smackwiki (1264766) | more than 6 years ago | (#23671035)

OSU scientists decided to focus on the issue of network worms when they were frustrated by efforts to diffuse offensive attacks by SEC virus. The Florida and LSU variants proved to be too much to handle, and the scientists choked under the pressure.

Ohio State, welcome to 2003 (0)

Anonymous Coward | more than 6 years ago | (#23673225)

Los Alamos National Laboratory has been doing this with NARQ and EMAAD since about then, except their system autoreacts and stops the worms.

http://public.lanl.gov/netsys/analytics/mining.shtml
http://www.osti.gov/doepatents/details.jsp?query_id=0&page=0&ostiID=927841
http://www.lanl.gov/news/newsletter/071706.pdf (page 8)

Etc.

HP ProCurve virus throttling (0)

Anonymous Coward | more than 6 years ago | (#23676805)

This is already being done by ProCurve Networking (by HP)

http://www.hpl.hp.com/news/2003/jan_mar/throttling.html
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>